[Feature Request] Support OAuth2 Device code authorisation flow

[fredrikhr]

I would like httpyac to support the OAuth 2.0 Device authorization grant for the openid variable replacer.

Ref. RFC8628
Example of usage: Microsoft Identity platform

Proposal for httpyac:

GET https://graph.microsoft.com/v1.0/me
Authorization: openid device_code msidp

Reason:

This is a great way of authenticating using applications where you cannot/don't want to modify the redirect Url, and don't have access to/don't want to leak the client secret. And contrary to the implicit and hybrid authorization flows, the device code flow hasn't been deprecated by the OAuth standard and best practices.

[AnWeber]

I would be happy to add the Device Authorization Flow. But I would have to implement this more or less according to the spec. If the Postman examples from Microsoft Identity Server are executable I can test it, otherwise I may need your help.
Is it technically possible to open the verification_uri directly in the browser or does a real device change have to take place? In that case, a QR code might make sense.

[AnWeber]

And thanks for the site. Here is also PKCE for Authorization_Code Flow described:-)

[fredrikhr]

Yeah, I scripted it manually with on request script hooks. Device code auth is how I usually authenticate with powershell and console apps. So you don't have to have an actual device change.

[AnWeber]

Nice. Then I would open a Notificatian with the user_code and verification:_uri and a button, which then opens the verifcation_uri.

[fredrikhr]

Can you add another button to copy the user_code to the clipboard?

[AnWeber]

Unfortunately, I have not been able to fully test the Device_Code Flow. The request after device_code and the user_code works. It also opens the web page and the user_code is in the clipboard. But unfortunately I don't have a valid account for Microsoft and so I can only test the wait loop until expired_token. But I do not have a successful call yet. I would ask you, once I have created the version, to test this case and give me feedback.

[fredrikhr]

Sure, I'd be happy to help!

[AnWeber]

A code review would be nice. You implemented it already and may spot a mistake.

[fredrikhr]

Sure, while scripting and integrating my scripts with httpyac, I have already familiarised myself with the code base and I am comfortable with reading TypeScript. Just point me to a publicly accessible branch and I'll take a look and test during the weekend or early next week.

[AnWeber]

I did not make an extra branch. It is about the commits attached to the issue, or actually about the class deviceCodeFlow. This has the task to map the flow and return either false or the AccessToken. I am not sure if I should rather check for the presence of authorization_pending, or rather for the error status. Microsoft has an additional error bad_verification_code which is not described in the RFC. I'd rather wait too long unnecessarily before aborting at a valid status unknown to me.

[fredrikhr]

Yeah I usually just check for auth pending error and would display all other errors to the user. I see you inlcuded the slow down error handling as well. Maybe call showNote or showWarning with the error message and continue polling or cancel based on user input

[fredrikhr]

@AnWeber I think this looks great! I tested it with Microsoft Identity platform and it works like a charm! As expected it keeps the session and even picks up the refresh_token if you specify the offline_access scope.

I also managed to recompile the VS Code extension with the new code and tested the UI features of the flow. Everything checks out fine! 👍

[AnWeber]

Super. Thanks for the effort in setting up the project locally. I have released version 4.6.0 which includes the change.